class nodo::subsystem::grsec { include nodo::utils::security::grsec include nodo::subsystem::grsec::group nodo::subsystem::sysctl::entry { 'kernel.grsecurity.grsec_lock': order => 'zz', value => 1, } nodo::subsystem::sysctl::entry { 'kernel.grsecurity.rwxmap_logging': order => 'xx', value => 0, } # We ship a custom grsec.conf that does not handle kernel.grsecurity.grsec_lock # so we can manage or own sysctl configs. # See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810920 file { "/etc/sysctl.d/grsec.conf": owner => "root", group => "root", mode => '0644', ensure => $ensure, source => "puppet:///modules/nodo/etc/sysctl.d/grsec.conf", } # Old configs file { [ '/etc/sysctl.d/kernel.grsecurity.rwxmap_logging.conf', '/etc/sysctl.d/kernel.grsecurity.grsec_lock.conf' ]: ensure => absent, } }